...
Deployment UX
- Should we consider k8s mode of deployment or pure-containerized mode of deployment? KubeArmor works best with k8s mode of deployment and is the recommended mode. Having said that, the previous integration/demo/POC done with OH was in pure-containerized mode.
- How would the deployment of KubeArmor on the target edge node happen? Will it be deployed as a separate workload with its own control plane or will it be integrated into the same control plane as that of OH?
- There is a value in keeping KubeArmor and associated tooling decoupled from Anax and OH Management Hub. This would allow independent updates and essentially the security should be considered as one more addon from the service provider side of things.
- The real challenge here is how would OH framework allow extensions to be built to integrate third party tooling?
- Ship the hardening policies along with the KubeArmor installation.
...
Observability & Monitoring use-cases
Security Event Monitoring:
- File Integrity Monitoring: Any changes to the systems folders should be monitored/audited.
- Reverse Shell execution
- Use of security sensitive primitives: setuid(), setguid(),chmod(),chown(),
- Updates to root certificates folder
- Use of
kubectl exec
to gain shell access in the pod - Privilege escalation attempted
- Monitor for external networks access
- Suspicious IP detection (for e.g. using Feodo Blocked IP List)
- Monitor for use of DGA (Domain Generation Algorithms) in the workload
Application Performance Monitoring:
- Excessive CPU usage: >90% of CPU used consistently for > 2 mins
- Excessive Memory usage: >80% of allocated memory used
- ...
Goals
- Install and run Open Horizon all-in-one, publish and deploy HomeAssistant and KubeArmor with test security policy
- Demonstrate how to monitor the listed events and access the results
Deliverables
- Documentation allowing anyone to replicate the results of the goals listed above
- Demo video showing the results
Components
- Open Horizon - to deliver and manage running workloads
- KubeArmor - to monitor and enforce security policy on host and workloads
- HomeAssistant - example service
Protection: Hardening use-cases
...
Workload/Pod/Container Hardening:
- Protecting workload secrets Secrets. Secrets could be injected in the workloads using volume mounts, environment vars, etc. Provide clear guidelines and specific tooling to secure such secrets.
- Protecting sensitive assets mounted using volume mount points
...
- Network Segmentation and enforcing least privilege nnetwork access
- Enforce Process Whitelisting
- Enforce least permissive access to sensitive assets. All volume mount points can be considered sensitive assets.
- Enforce least permissive process based network control. Only allow certain set of processes to do network communication.
Protection: Enforcing Network Protection
TODO
Workload Forensics
TODO
- Enforce Ingress/Egress controls using CIDRSets, Domain names, Protocols/Ports
- Auto Discover Network Protection rules.
Workload Forensics
- Workload Process Monitoring
- Workload Sensitive Asset access
- External Network exposure for workloads
- Ability to query forensics details for a specified time duration from past X days.
Other Topics:
- Leveraging Confidential Computing for hardware based protections
charisse lu Security charisse lu Should we create security guidelines for workload creators ?- discussion
...